As novel therapies are pioneered and the pace of development in the life sciences sector continues to accelerate, there also has been an uptick in cybersecurity and privacy risks. The collection, transmission, and storage of vast amounts of sensitive data creates additional potential exposure. Academic, trade, and other publications have underscored these risks from Electronic Medical Records (EMR), next-generation DNA sequencing, and AI technologies, to clinical trials.

The challenges are not just for an organization to secure data in its possession; it's also to manage risk associated with various third parties having access to data. Clinical trials, for example, may involve multiple different entities, including the sites, clinical research organizations, vendors, and sponsors all of whom need access to clinical trial data. Data also may need to be shared with the IRBs and/or FDA or other regulatory authorities providing oversight. Health systems have a multitude of vendors and other third parties with access to their data, such as EMR vendors, AI technology vendors, cloud storage companies, health plans, regulators, staffing agencies, and many others. This broad access creates further potential vectors for exposure, as bad actors could infiltrate the networks of these third parties and gain access to data.

This scenario is not just hypothetical. Life sciences companies have been targeted by cyberattacks, and not surprisingly, data breach notices have followed. Companies have been subject to extortion demand, where bad actors threaten to release stolen data on the dark web or otherwise unless they receive payment. Once legally-mandated notices are sent, lawsuits often follow, with the potential for regulatory scrutiny as well. The expansion of the plaintiffs' bar has meant that most data breach notices are reviewed by plaintiffs' firms, which then seek to recruit clients to bring lawsuits against the breached entities.

On the regulatory front, the Office for Civil Rights (OCR), which enforces HIPAA, is mandated to investigate any data breach impacting 500 or more individuals. This results in significant investigations (which typically go beyond the specific incident to look at HIPAA compliance more broadly), and, where findings are made, fines, penalties, and corrective action plans are in play. State Attorneys General also will often investigate reported data breaches and incidents, seeking to impose both injunctive and monetary terms. We have even seen regulators initiate investigations before receiving official notice when an incident is reported in the news or there is a publicized release of data on the dark web. This area is thus fraught with significant risk for entities handling sensitive health data. Risk mitigation involves not only ensuring the entity's own privacy and security compliance and controls, but also conducting diligence on vendors with access to such data and obtaining strong contractual representations and indemnification terms in the event of an incident.